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Abstract 

Recently, Tian et al. presented an article, in which they discussed some 
security weaknesses of Yoon et al.'s scheme and subsequently proposed two 
"improved" schemes. In this paper, we show that the Tian et al.'s schemes are 
insecure and vulnerable than the Yoon et al.'s scheme. 
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1 Introduction 

Remote system authentication is a process by which a remote system gains confi- 
dence about the identity (or login request) of the communicating partner. Since the 
introduction of Lamport's scheme |1], several new proposals and improvements on 
remote systems authentication [2], [3], [1], [5], [6] have been proposed. Recently, Tian 
et al. [7] presented an article by observing some flaws of the Yoon et al.'s scheme 
[H|, and subsequently suggested two improved schemes. The basis of the Tian et al.'s 
observation on Yoon et al.'s scheme was on this assumption: // an attacker steals a 
user's smart card and extracts the values stored in it through some means J^, [7^ 
without being noticed, then the attacker can either masquerade as the user to forge a 
valid login request, or masquerade as the server to forge a valid reply message. 
In this paper, we show that the Tian et al.'s schemes are insecure with the above 
mentioned arguments what they had considered, in fact, more vulnerable than [8]. 
The remainder of the paper is organized as follows. In the next section, we review the 
Tian et al.'s schemes. In section 3, we show the security weaknesses of the schemes. 
We conclude the paper with the section 4. 
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2 The Tian et al.'s Schemes 

The schemes consists of four phases: Registration, Login, Authentication and Pass- 
word change. The registration and password change phases are same for both the 
schemes. 

Registration phase: A new user can register to the remote server by the following 
steps. 

Rl. A user Ui submits his identity IDi and password PWi to the server {S) through 
a secure channel. 

R2. Then S chooses four distinct cryptographic one-way hash functions h{-), /ii(-), 
h2i-), and /i3(-). 

R3. S computes Ri = h{IDi,Xs), Hi = h{Ri) and Xi = Ri® h{IDi, PWi), where 
® denotes the bitwise exclusive-OR operation. 

R4. Then S personalizes a smart card with < IDi,Hi,Xi,h{-),hi{-),h2{-),h3{-) > 
and sends it to t/^ in a secure manner. 

Password change phase: This phase is invoked when a user Ui wants to change 
his password from PWi to PWI- The user attaches his smart card to the card reader 
and enters PWi, then the smart card performs the following operations: 

PI. Compute R'i^Xi® h(IDi, PWi) and = h(R'i). 

P2. Compare H'- with Hi. If they are equal, then the user enters a new password 
PWI, otherwise it rejects the password change request. 

P3. Compute X'^ = i?j © h{IDi, PWI). Then, store X'^ in smart card in place of Xj. 
2.1 The First Scheme 

This scheme uses the timestamp mechanism to avoid the replay attack (assuming 
the user and server time synchronization is proper). 

Login phase: Ui attaches his smart card to the card reader and enters password 
PW*. Then the smart card performs the following operations: 

LFl. Compute R'i^Xi® h{IDi, PW*) and Hi = h{R'i). 

LF2. Compare H'^ with Hi. If they are equal, then the smart card proceeds to the 
next step, otherwise it terminates the operation. 

LF3. Compute Ci — hi{S, IDi, Ri: T), where T is the timestamp. 

LF4. Ui sends the login request < IDi, T, Ci> to S over a public channel. 
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Authentication phase: Upon receiving the login request < ID^^ T, Ci >, the server 
S and the user f/j perform the foUowing steps for mutual authentication: 

AFl. 5* checks the vahdity of IDi and T. If both are correct then proceeds to the 
next step, otherwise rejects the login request. 

AF2. S computes Ri = h{IDi,Xs) and checks whether Ci = hi{S, ID^, Ri,T). If 
this check holds, S assures that Ui is authentic and proceeds to the next step, 
otherwise it rejects the request. 

AF3. 5* computes 62 = h2{IDi, S, Ri,T'), where T' is a timestamp. Then, S sends 
< T', C2 > back to through the public channel. 

AF4. Upon receiving S"s response message < T', C2 >, Ui^s smart card first checks 
the vahdity of T' and then whether C2 = h2{IDi, S, Ri,T'). If these checks 
hold, Ui assures the authenticity of S and the mutual authentication is done, 
otherwise it rejects the connection. 

AF5. Once the mutual authentication is completed, Ui and S use h^{IDi, S, Ri, T, T') 
as the session key. 

2.2 The Second Scheme 

This scheme uses a nonce based challenge-response mechanism, so it avoids the time 
synchronization problem. 

Login phase: Ui attaches his smart card to the card reader and enters password 
PWi- Then the smart card performs the following operations: 

LSI. Compute R[^ Xi® h(IDi, PWi) and H[ = h{R[). 

LS2. Compare H[ with Hi. If they are equal, proceeds to the next step, otherwise 
it terminates the operation. 

LS3. Send the login request < IDi, Ni > to S over a public channel, where A^^ is a 
nonce selected by U. 

Authentication phase: Upon receiving the login request < IDi,Ni >, the server 
S and the user Ui perform the following steps for mutual authentication: 

ASl. S checks the validity of IDi. 

AS2. S chooses a nonce Ns, computes Ri — h{IDi,Xs), Ci = hi{S, IDi, Ri, Ni, Ng) 
and sends < Ci, TV^ > to Ui over a public channel. 

AS3. Upon receiving < Ci, Ng >, U checks whether Ci = hi{S, IDi, Ri, Ni, Ng). If 
this check holds correct, Ui assures the authenticity of 5", otherwise terminates 
the operation. 
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AS4. Ui computes C2 = h2{IDi, S, Ri, Ng, Ni) and sends it to S. 

ASS. Upon receiving C2, S checks whether C2 = h2{IDi, S, Ri, Ng, Ni). Ui authentic 
if the check passes and the mutual authentication is done, otherwise S termi- 
nates the operation. 

AS6. After the mutual authentication, the user and the server use h^i^IDi, S, Ri, Ni, Ng) 
as the session key. 

3 Security Weaknesses 

The basis of the following attacks is based on this risk of smart card stored informa- 
tion: 

A legitimate user could extract the values stored in smart card by some means f^, 
fT^ . then he/she could act as the role of server to register any number of users. We 
note that the Tian et al. 's scheme also assumed a similar risk. 

1. Attacks by a legitimate user 

In the registration phase, Xj = i?j © h{IDi, PWi) is stored in [/j's smart card. Once 
Ui extracts Xi from his smart card by some means [9], [10], then he/she can eas- 
ily get Ri by computing Ri = Xi (B h{IDi, PWi). After that, no remote server is 
required to register a new user. Now, U who has Ri, could register any number 
of users by distributing Ri and IDi. In fact, smart card and password are not 
required at all to login S those who got Ri and IDi from Because, a valid lo- 
gin message is < IDi,T,Ci >, where T is a timestamp (for the first scheme) and 
Ci = hi{S, IDi, Ri,T). For the second scheme, the challenge-response comprises 
with the secret Ri only, other parameters are public. Therefore, the server secret is 
virtually compromised by a legitimate user's smart card. 

2. Attacks by an adversary 

Suppose an attacker steals U^s smart card and intercepts Ci = {S, IDi, Ri,T) from 
a valid login request. Now the attacker extracts the information stored in the smart 
card and launches an offline guessing attacks of PWi in order to obtain the value of 
Ri. The attacker guesses a password and obtains an R*, and then checks whether 
Ci = hi{SIDi, R*, T). Once the guess succeeds, then the attacker has a valid Ri and 
can create any number of valid login request. 

3. No two-factor authentication 

Two-factor authentication is a technique that requires two independent factors (e.g. 
password, smart card) to establish identity and privileges. Common implementa- 
tions of two-factor authentication use 'something you know: password' as one of the 
two factors, and use either 'something you have: smart card' or 'something you are: 
biometric' as the other factor. A common example of two-factor authentication is 
a bank card (credit card, debit card); the card itself is the physical item, and the 
personal identification number (PIN) is the data that goes with it. 
In Tian et al.'s scheme, we observe that once a party has information of IDi and Ri, 



4 



then he does not require password and a vahd smart card at all. Without password 
and smart card, one can easily pass the mutual authentication and establish the 
session key. Therefore, the schemes lack two-factor authentication. 

4 Conclusion 

The threat of smart card security [9], [10], [11] is a crucial concern, where some 
secret information is stored in the memory of smart cards. However, to the best of 
my knowledge, one can still use smart card to store some secret data by considering 
the applications requirement and scope/value of the secret information stored in the 
smart card. It is also important to judge the financial cost and time to extract the 
secret data from the smart card. If the cost as well as time is tolerable or higher than 
the cost of the secret inside the smart card, then one can take that risk while using 
smart card to store some secret data. If extracting a secret from the card leads to 
collapse the whole system (e.g. Tian et al.'s schemes) then definitely some additional 
counter measure should be taken while designing the scheme. Of course, smart card 
vendors are quite aware of these threats and they are also taking counter measure 
continuously to safe guard the cards security. 

We have shown that the Tian et al.'s scheme is insecure by several weaknesses. Just 
by extracting a secret data from a smart card can collapse the whole system's security. 
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